g4h webcast: automated security analysis of mobile applications with mobile security framework
TRANSCRIPT
G4H WebcastAjin Abraham
Automated Security Analysis of Mobile Applications with Mobile
Security Framework.
Mobile Security Framework
Mobile Security Framework is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis.
Inputs
• Android, iOS binaries (APK, IPA)• Android Zipped Source Code (eclipse, Android Studio)• iOS Zipped Source Code
• Android Binary - Static and Dynamic Analysis• Android Source – Static Analysis• iOS Binary and Source – Static Analysis
(TIZEN support, on it’s way)
Open Source Project
• Feel free to contribute: • Source:
https://github.com/ajinabraham/YSO-Mobile-Security-Framework
• Issues: https://github.com/ajinabraham/YSO-Mobile-Security-Framework/issues
Setting it Up
Android
• Python 2.7• Django 1.8• Oracle Java - JDK 1.7+
iOS
• Python 2.7• Django 1.8• Oracle Java - JDK 1.7+• Mac
Static Analysis
• Android– INFORMATION GATHERING– DECOMPILE TO JAVA & SMALI– PERMISSION ANALYSIS– MANIFEST ANALYSIS– JAVA CODE ANALYSIS– ANDROID API INFO– FILE ANALYSIS– URLS, EMAIL, FILES, STRINGS, ANDROID COMPONENTS– REPORT GENERATION
DEMO
• Static Analysis of APK• Static Analysis of Zipped Source Code
Static Analysis• iOS - Binary
– BASIC INFORMATION– BINARY ANALYSIS– FILE ANALYSIS– LIBRARIES– FILES– REPORT GENERATION
• iOS - Source– BASIC INFORMATION– CODE ANALYSIS– iOS API INFORMATION– FILE ANALYSIS– URL, EMAIL, FILES, LIBRARIES– REPORT GENERATION
DEMO
• Static Analysis of IPA Binary• Static Analysis of Zipped Source Code
Dynamic Analyzer - Architecture
Dynamic AnalyzerAGENTS
Install and Run APK
HTTP(S) Proxy
Invoke Agents in VM
Results
HTTP(S) Traffic
Android VM
Application Data
Agent Collected Information
Start HTTP(S) Web Proxy
Dynamic Analysis
• SCREENSHOT• HTTP(S) TRAFFIC• LOGCAT and DUMPSYS• DROIDMON API MONITOR• DYNAMIC URLS and EMAILS• DUMPED APPLICATION DATA• FILE ANALYSIS ON APPLICATION DATA• REPORT GENERATION• UNDER DEVELOPMENT
DEMO
• Under Dev + • Lot’s• Hoping that things will work !
Interesting Facts
• Free and Open Source• Support VM, and Rooted Phones with our agents
installed.• Complete Mobile Application Security Testing(Android, iOS and Tizen*).• Reporting
Future Plans- Pentesting Server Side components of Hybrid Applications.-Exploitation Module.
G4H Mobile Security CTF
GETSECRET.apk SENDSECRET.apk
G4H Mobile Security CTF
• CTF Entry point is GETSECRET, you need to capture the secret send from SENDSECRET to GET Secret.
• Vulnerabilities.
SENDSECRETExported Activity
.ValidateAccessLogical Vulnerability
Send secret to any application with package name as
opensecurity.getsecret and Activity name as
GetFlag
GETSECRETHardcoded Password
LoginActivityExported Activities
AskSecretGetFlag
Logging Sensitive InformationLogging the Secret
G4H - CTF- How to Solve
1. Reversing DexGuard, find the logic, reverse the hardcoded secret to decrypt the AES encrypted flag
2. Bypass Login of GETSECRET - Wait till the Random no matches. -> SendSecret sends the Secret. Collect the Secret form Log and Enter it in GetFlag activity to get the Flag.
3. Easiest - Patch the APK and recompile it
Sorry
• Can’t cover Reversing DexGuard.• Blog post removed!• The license I have, deny reversing DexGuard
technology.